[UNIX] WordPress Cafelog SQL Injection Vulnerability

• Previous message: SecuriTeam: "[REVS] War Nibbling: Bluetooth Insecurity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 9 Oct 2003 15:51:34 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  WordPress Cafelog SQL Injection Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://wordpress.org/> WordPress is "a semantic personal publishing
platform with a focus on aesthetics, web standards, and usability". The
WordPress Cafelog has been found to contain an SQL Injection vulnerability
due to its inadequate filtering of incoming user data.

DETAILS

Vulnerable Versions:
 * CVS versions before October 1, 2003
 * Vulnerability affects code inherited from b2, so all versions of
WordPress released before CVS fix are affected and many versions of b2 are
affected.

A number of SQL injection vulnerabilities have been fixed that could allow
arbitrary SQL to be injected if one has local access to the filesystem the
database can access (using 'source filename.sql;'). ''', '"', '\' are all
filtered, and ' ' is munged into SQL constructs before injection, so %09
(tab char) can be used where spaces would normally be in the SQL string
one wishes to inject. The problem affects the category (cat) and order by
(order_by) code. The author (author) code was almost vulnerable, except
for a small bug that mis-converted author to an integer before string
processing. The problems are located in the blog.header.php file, and a
patch is included below (provided by the authors) that fixes the
vulnerabilities and includes general bug fixes and code cleanup. Any SQL
string not including quotes or a backslash can be injected through the URL
(i.e. 'drop table foo;').

Patch:
A patch is available for download from:
<http://cvs.sourceforge.net/viewcvs.py/cafelog/wordpress/blog.header.php.diff?r1=text&tr1=1.18&r2=text&tr2=1.21&diff_format=u> http://cvs.sourceforge.net/viewcvs.py/cafelog/wordpress/blog.header.php.diff?r1=text&tr1=1.18&r2=text&tr2=1.21&diff_format=u

Exploit:
The following is an example URL:
http://fresh.wordpress.org/index.php?cat=100)%09or%090=0%09or%09(0=1

Exploit example exposes private posts. Dropping tables should be trivial,
especially using the order_by flaw.

ADDITIONAL INFORMATION

The information has been provided by <mailto:seth@tautology.org> Seth
Woolley.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[REVS] War Nibbling: Bluetooth Insecurity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]